<!doctype html>
<html lang="zh-CN">
<head>

    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    
    <meta name="referrer" content="no-referrer-when-downgrade">
    

    <title>挖矿病毒2-分析和排查思路 | Anttu&#39;s Blog</title>
    <meta property="og:title" content="挖矿病毒2-分析和排查思路 - Anttu&#39;s Blog">
    <meta property="og:type" content="article">
        
    <meta property="article:published_time" content='2021-01-28T00:29:47&#43;08:00'>
        
        
    <meta property="article:modified_time" content='2021-01-28T00:29:47&#43;08:00'>
        
    <meta name="Keywords" content="golang,go语言,go语言笔记,anttu,java,博客,bash,linux笔记,python笔记,公众号,小程序">
    <meta name="description" content="挖矿病毒2-分析和排查思路">
        
    <meta name="author" content="Anttu">
    <meta property="og:url" content="https://anttu.gitee.io/post/2021-01-28-miner_virus_2/">
    <link rel="shortcut icon" href='/favicon.ico'  type="image/x-icon">

    <link rel="stylesheet" href='/css/normalize.css'>
    <link rel="stylesheet" href='/css/style.css'>
    <script type="text/javascript" src="//cdn.bootcdn.net/ajax/libs/jquery/3.4.1/jquery.min.js"></script>

    
    
    
    
    
    
        <link rel="stylesheet" href='/css/asciinema-player.css'>
    
</head>


<body>
    <header id="header" class="clearfix">
    <div class="container">
        <div class="col-group">
            <div class="site-name ">
                
                    <a id="logo" href="https://anttu.gitee.io/">
                        Anttu&#39;s Blog
                    </a>
                
                <p class="description">一位Java开发者，喜欢研究技术，同时也在学习Golang和Python中，对服务器、Linux使用比较熟悉。欢迎添加技术交流QQ群：655158296</p>
            </div>
            <div>
                <nav id="nav-menu" class="clearfix">
                    <a class="current" href="https://anttu.gitee.io/">首页</a>
                    
                    <a  href="https://anttu.gitee.io/archives/" title="归档">归档</a>
                    
                    <a  href="https://anttu.gitee.io/tags/" title="分类">分类</a>
                    
                    <a  href="https://anttu.gitee.io/about/" title="关于">关于</a>
                    
                </nav>
            </div>
        </div>
    </div>
</header>

    <div id="body">
        <div class="container">
            <div class="col-group">

                <div class="col-8" id="main">
                    
<div class="res-cons">
    <style type="text/css">
    .post-toc {
        position: fixed;
        width: 200px;
        margin-left: -210px;
        padding: 5px 10px;
        font-family: Athelas, STHeiti, Microsoft Yahei, serif;
        font-size: 12px;
        border: 1px solid rgba(0, 0, 0, .07);
        border-radius: 5px;
        background-color: rgba(255, 255, 255, 0.98);
        background-clip: padding-box;
        -webkit-box-shadow: 1px 1px 2px rgba(0, 0, 0, .125);
        box-shadow: 1px 1px 2px rgba(0, 0, 0, .125);
        word-wrap: break-word;
        white-space: nowrap;
        -webkit-box-sizing: border-box;
        box-sizing: border-box;
        z-index: 999;
        cursor: pointer;
        max-height: 70%;
        overflow-y: auto;
        overflow-x: hidden;
    }

    .post-toc .post-toc-title {
        width: 100%;
        margin: 0 auto;
        font-size: 20px;
        font-weight: 400;
        text-transform: uppercase;
        text-align: center;
    }

    .post-toc .post-toc-content {
        font-size: 15px;
    }

    .post-toc .post-toc-content>nav>ul {
        margin: 10px 0;
    }

    .post-toc .post-toc-content ul {
        padding-left: 20px;
        list-style: square;
        margin: 0.5em;
        line-height: 1.8em;
    }

    .post-toc .post-toc-content ul ul {
        padding-left: 15px;
        display: none;
    }

    @media print,
    screen and (max-width:1057px) {
        .post-toc {
            display: none;
        }
    }
</style>
<div class="post-toc" style="position: absolute; top: 188px;">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
        <nav id="TableOfContents">
  <ul>
    <li><a href="#前言">前言</a></li>
    <li><a href="#1分析">1、分析</a>
      <ul>
        <li><a href="#11-top查看异常进程和占用率">1.1 top查看异常进程和占用率</a></li>
        <li><a href="#12-根据pid查找挖矿病毒的目录">1.2 根据pid查找挖矿病毒的目录</a></li>
        <li><a href="#13-拿到挖矿主体二进制文件">1.3 拿到挖矿主体二进制文件</a></li>
        <li><a href="#14-二进制查看">1.4 二进制查看</a></li>
        <li><a href="#15-有能力的可以上ida查看汇编信息">1.5 有能力的可以上ida查看汇编信息</a></li>
        <li><a href="#16-查找其他痕迹查看感染来源">1.6 查找其他痕迹，查看感染来源</a></li>
        <li><a href="#17-查看日志">1.7 查看日志</a></li>
        <li><a href="#18-病毒工具扫描">1.8 病毒工具扫描</a></li>
        <li><a href="#19-找守护挖矿的进程">1.9 找守护挖矿的进程</a></li>
      </ul>
    </li>
    <li><a href="#2排查思路">2、排查思路</a>
      <ul>
        <li><a href="#21-top异常服务">2.1 top异常服务</a></li>
        <li><a href="#22-查看异常进程目录">2.2 查看异常进程目录</a></li>
        <li><a href="#23-检查定时任务">2.3 检查定时任务</a></li>
        <li><a href="#24-检查账号">2.4 检查账号</a></li>
        <li><a href="#25-检查sudo">2.5 检查sudo</a></li>
        <li><a href="#26-检查环境变量">2.6 检查环境变量</a></li>
        <li><a href="#27-检查执行命令历史记录">2.7 检查执行命令历史记录</a></li>
        <li><a href="#28-检查新增的文件或命令">2.8 检查新增的文件或命令</a></li>
        <li><a href="#29-针对上一步可以采用修改日期排查法">2.9 针对上一步可以采用修改日期排查法</a></li>
        <li><a href="#210-检查异常端口">2.10 检查异常端口</a></li>
        <li><a href="#211-检查启动项">2.11 检查启动项</a></li>
        <li><a href="#212-检查计划任务">2.12 检查计划任务</a></li>
        <li><a href="#213-异常目录">2.13 异常目录</a></li>
        <li><a href="#214-检查安装的服务">2.14 检查安装的服务</a></li>
        <li><a href="#215-检查日志和分析">2.15 检查日志和分析</a></li>
        <li><a href="#216-其他有用的日志">2.16 其他有用的日志</a></li>
        <li><a href="#217-检查安装的rpm包或者是否动过手脚">2.17 检查安装的rpm包或者是否动过手脚</a></li>
        <li><a href="#218-检查命令的完整性">2.18 检查命令的完整性</a></li>
        <li><a href="#219-检查hosts文件">2.19 检查hosts文件</a></li>
        <li><a href="#220-检查ssh文件">2.20 检查.ssh文件</a></li>
        <li><a href="#221-检查防火墙-iptables">2.21 检查防火墙-iptables</a></li>
        <li><a href="#222-检查别名">2.22 检查别名</a></li>
      </ul>
    </li>
    <li><a href="#3加固">3、加固</a>
      <ul>
        <li><a href="#31-条件提前做md5sum值">3.1 条件提前做md5sum值</a></li>
        <li><a href="#32-增加history的记录条数和详细信息">3.2 增加history的记录条数和详细信息</a></li>
      </ul>
    </li>
    <li><a href="#4挖矿病毒的参考">4、挖矿病毒的参考</a></li>
  </ul>
</nav>
    </div>
</div>
<script type="text/javascript">
    $(document).ready(function () {
        var postToc = $(".post-toc");
        if (postToc.length) {
            var leftPos = $("#main").offset().left;
            if (leftPos < 220) {
                postToc.css({ "width": leftPos - 10, "margin-left": (0 - leftPos) })
            }

            var t = postToc.offset().top - 20,
                a = {
                    start: {
                        position: "absolute",
                        top: t
                    },
                    process: {
                        position: "fixed",
                        top: 20
                    },
                };
            $(window).scroll(function () {
                var e = $(window).scrollTop();
                e < t ? postToc.css(a.start) : postToc.css(a.process)
            })
        }

        if ($("#TableOfContents").children().length < 1) {
            $(".post-toc").remove();
        }
    })
</script>
    <article class="post">
        <header>
            <h1 class="post-title">挖矿病毒2-分析和排查思路</h1>
        </header>
        <date class="post-meta meta-date">
            2021年1月28日
        </date>
        
        <div class="post-meta">
            <span>|</span>
            
            <span class="meta-category">
                <a href='/categories/mine' target="_blank">mine</a>
            </span>
            
            <span class="meta-category">
                <a href='/categories/virus' target="_blank">virus</a>
            </span>
            
            <span class="meta-category">
                <a href='/categories/linux' target="_blank">linux</a>
            </span>
            
            <span class="meta-category">
                <a href='/categories/check' target="_blank">check</a>
            </span>
            
        </div>
        
        
        <div class="post-meta">
            <span id="busuanzi_container_page_pv">|<span id="busuanzi_value_page_pv"></span><span>
                    阅读</span></span>
        </div>
        
        
        <div class="clear" style="display: none">
            <div class="toc-article">
                <div class="toc-title">文章目录</div>
            </div>
        </div>
        
        <div class="post-content">
            <h2 id="前言">前言</h2>
<p>1月23日晚上22点附近，公司群收到管理员说阿里云报了挖矿病毒的警告<br>
因此本人手里处理过2次挖矿病毒，针对挖矿病毒的杀毒和溯源，个人整理下心得，也有一部分思路来源网络整理</p>
<h2 id="1分析">1、分析</h2>
<h3 id="11-top查看异常进程和占用率">1.1 top查看异常进程和占用率</h3>
<p>
        <img class="mx-auto" alt="" src="/posts/virus/top2.png" />   
    
发现一个叫sh的进程名几乎占用全部的cpu资源</p>
<h3 id="12-根据pid查找挖矿病毒的目录">1.2 根据pid查找挖矿病毒的目录</h3>
<p>当然用其他方法也可以找出，这里是当挖矿病毒正在运行时这么查找更加容易

        <img class="mx-auto" alt="" src="/posts/virus/proc.png" />   
    
找到挖矿病毒的主体文件所在目录了/tmp/admin/sh</p>
<p>不过通常病毒文件会用隐藏目录，因此进入/tmp后需要用ls -lart查看隐藏目录<br>
最后锁定挖矿病毒主题文件.sh，其他文件经过分析，属于创建的脚本，用于给挖矿病毒主题创造有利的环境<br>

        <img class="mx-auto" alt="" src="/posts/virus/dir.png" />   
    
大多数厉害的挖矿病毒是不会留下脚本的，需要自己根据蛛丝马迹找，能找到脚本可以把修改的地方针对性的还原，没法找到脚本就没法100%还原被修改的配置了</p>
<h3 id="13-拿到挖矿主体二进制文件">1.3 拿到挖矿主体二进制文件</h3>
<p>查看是否加壳，用PEiD.0.95查看

        <img class="mx-auto" alt="" src="/posts/virus/PE.png" />   
    
目前抓住的这个没有加壳，上一次的有加壳

        <img class="mx-auto" alt="" src="/posts/virus/PE_info.png" />   
    
不过查看加壳与否我都没法脱壳的，只是用工具查看是否还有价值的信息，加了强壳的二进制查看的价值不大了</p>
<h3 id="14-二进制查看">1.4 二进制查看</h3>
<p>尝试是否能找到一点有用的信息<br>
比如这个没加壳的就容易看到一些有价值的信息

        <img class="mx-auto" alt="" src="/posts/virus/byte.png" />   
    </p>
<h3 id="15-有能力的可以上ida查看汇编信息">1.5 有能力的可以上ida查看汇编信息</h3>
<p>本人不才。。。只能看个图
不管是汇编视图还是二进制视图，因个人能力不足，无法查看更多有价值的信息

        <img class="mx-auto" alt="" src="/posts/virus/ida1.png" />   
    

        <img class="mx-auto" alt="" src="/posts/virus/ida2.png" />   
    </p>
<h3 id="16-查找其他痕迹查看感染来源">1.6 查找其他痕迹，查看感染来源</h3>
<p>
        <img class="mx-auto" alt="" src="/posts/virus/last.png" />   
    </p>
<h3 id="17-查看日志">1.7 查看日志</h3>
<p>
        <img class="mx-auto" alt="" src="/posts/virus/message.png" />   
    </p>
<h3 id="18-病毒工具扫描">1.8 病毒工具扫描</h3>
<p>
        <img class="mx-auto" alt="" src="/posts/virus/warn1.png" />   
    

        <img class="mx-auto" alt="" src="/posts/virus/warn2.png" />   
    </p>
<h3 id="19-找守护挖矿的进程">1.9 找守护挖矿的进程</h3>
<p>可能是定时任务，也可能是其他二进制脚本

        <img class="mx-auto" alt="" src="/posts/virus/kinsing.png" />   
    </p>
<h2 id="2排查思路">2、排查思路</h2>
<p>先找到病毒主体文件，然后需要有清晰的排查思路，结合搜集到的信息，可以去一些安全或者漏洞网站查询是否有人中招和排查经验，结合已经曝光的信息再加上自己的思路，可以事半功倍</p>
<h3 id="21-top异常服务">2.1 top异常服务</h3>
<p>有的挖矿病毒不会修改服务名，有的会隐藏成sysupdate、networkservice、sysguard这些看着像系统进程的名称，有的还会改成apache、php、mysql等服务名，需要凭职业经验分辨</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>top
</span></span><span style="display:flex;"><span>top &gt; top.txt
</span></span><span style="display:flex;"><span>vi top.txt
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="22-查看异常进程目录">2.2 查看异常进程目录</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ps -axuf | grep pid
</span></span><span style="display:flex;"><span>ls /proc/<span style="color:#000;font-weight:bold">{</span><span style="color:#008080">$pid</span><span style="color:#000;font-weight:bold">}</span>/
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="23-检查定时任务">2.3 检查定时任务</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>/etc/crontab
</span></span><span style="display:flex;"><span>/var/spool/cron/root
</span></span></code></pre></td></tr></table>
</div>
</div><p>有修改的话需要还原</p>
<h3 id="24-检查账号">2.4 检查账号</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>/etc/passwd
</span></span><span style="display:flex;"><span>/etc/shadow
</span></span></code></pre></td></tr></table>
</div>
</div><p>有新增异常账号需要删除,需要留意特权账号uid=0的</p>
<h3 id="25-检查sudo">2.5 检查sudo</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>/etc/sudoers
</span></span></code></pre></td></tr></table>
</div>
</div><p>有新增的异常命令或者账号需要清理</p>
<h3 id="26-检查环境变量">2.6 检查环境变量</h3>
<p>root账号的环境变量文件</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">7
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>~/.bash_profile
</span></span><span style="display:flex;"><span>~/.bashrc
</span></span><span style="display:flex;"><span>~/.cshrc
</span></span><span style="display:flex;"><span>~/.tcshrc
</span></span><span style="display:flex;"><span>~/.profile
</span></span><span style="display:flex;"><span>/etc/profile
</span></span><span style="display:flex;"><span><span style="color:#0086b3">echo</span> <span style="color:#008080">$PATH</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>有新增的话需要清理</p>
<p>其他业务账号的环境变量文件需要挨个检查下，因为已经发现本次是admin账号感染，这里就主要排查admin账号</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>/<span style="color:#008080">$HOME</span>/.bash_profile
</span></span><span style="display:flex;"><span>/<span style="color:#008080">$HOME</span>/.bashrc
</span></span><span style="display:flex;"><span>/<span style="color:#008080">$HOME</span>/.cshrc
</span></span><span style="display:flex;"><span>/<span style="color:#008080">$HOME</span>/.tcshrc
</span></span><span style="display:flex;"><span>/<span style="color:#008080">$HOME</span>/.profile
</span></span><span style="display:flex;"><span><span style="color:#0086b3">echo</span> <span style="color:#008080">$PATH</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="27-检查执行命令历史记录">2.7 检查执行命令历史记录</h3>
<p>大多数厉害的挖矿病毒会清理history -c，因此抱着试试看的想法还是检查下</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>.bash_history
</span></span></code></pre></td></tr></table>
</div>
</div><p>如果服务器上还有其他服务，比如mysql redis mongodb等也需要排查下，比如勒索病毒就好这口</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>.rediscli_history
</span></span><span style="display:flex;"><span>.mysql_history
</span></span><span style="display:flex;"><span>.dbshell
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="28-检查新增的文件或命令">2.8 检查新增的文件或命令</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ls -lart /bin
</span></span><span style="display:flex;"><span>ls -lart /sbin
</span></span><span style="display:flex;"><span>ls -lart /usr/bin/
</span></span><span style="display:flex;"><span>ls -lart /usr/sbin/
</span></span><span style="display:flex;"><span>ls -lart /tmp
</span></span><span style="display:flex;"><span>ls -lart /etc/init.d/
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="29-针对上一步可以采用修改日期排查法">2.9 针对上一步可以采用修改日期排查法</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#998;font-style:italic"># 查找777权限的文件</span>
</span></span><span style="display:flex;"><span>find . -name * -perm <span style="color:#099">777</span>
</span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"># 按日期查找</span>
</span></span><span style="display:flex;"><span>find . -type f -newermt 2020-09-24 -ls
</span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"># 按时间范围查找</span>
</span></span><span style="display:flex;"><span>find . -newermt <span style="color:#d14">&#34;2019-09-09 00:00:00&#34;</span> -not -newermt <span style="color:#d14">&#34;2019-09-10 00:00:00+1&#34;</span>  
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="210-检查异常端口">2.10 检查异常端口</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>netstat -antlp|more
</span></span><span style="display:flex;"><span>arp -a
</span></span><span style="display:flex;"><span>lsof -i
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="211-检查启动项">2.11 检查启动项</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">13
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">14
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">15
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>vi  /etc/inittab
</span></span><span style="display:flex;"><span><span style="color:#008080">id</span><span style="color:#000;font-weight:bold">=</span>3：initdefault  <span style="color:#998;font-style:italic">#系统开机后直接进入哪个运行级别</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>more /etc/rc.local 
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"># /etc/rc.d/rc[0~6].d </span>
</span></span><span style="display:flex;"><span>ls -lart /etc/rc.d/rc0.d/
</span></span><span style="display:flex;"><span>ls -lart /etc/rc.d/rc1.d/
</span></span><span style="display:flex;"><span>ls -lart /etc/rc.d/rc2.d/
</span></span><span style="display:flex;"><span>ls -lart /etc/rc.d/rc3.d/
</span></span><span style="display:flex;"><span>ls -lart /etc/rc.d/rc4.d/
</span></span><span style="display:flex;"><span>ls -lart /etc/rc.d/rc5.d/
</span></span><span style="display:flex;"><span>ls -lart /etc/rc.d/rc6.d/
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>ls -lart /etc/rc.d/init.d/
</span></span></code></pre></td></tr></table>
</div>
</div><p>清理异常启动项</p>
<h3 id="212-检查计划任务">2.12 检查计划任务</h3>
<p>一般会隐藏</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>crontab -l
</span></span><span style="display:flex;"><span>ls /etc/cron*
</span></span><span style="display:flex;"><span>/etc/crontab
</span></span><span style="display:flex;"><span>/var/spool/cron/root
</span></span><span style="display:flex;"><span>/etc/anacrontab
</span></span><span style="display:flex;"><span>/var/spool/anacron/*
</span></span></code></pre></td></tr></table>
</div>
</div><p>清理和还原定时任务</p>
<h3 id="213-异常目录">2.13 异常目录</h3>
<p>挖矿一般喜欢用.隐藏目录或者/tmp下</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ls -lart /tmp | more
</span></span><span style="display:flex;"><span>ls -lart ~ | more
</span></span><span style="display:flex;"><span>ls -lart <span style="color:#008080">$HOME</span> | more
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="214-检查安装的服务">2.14 检查安装的服务</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>chkconfig  --list | more
</span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"># 中文环境</span>
</span></span><span style="display:flex;"><span>chkconfig --list | grep <span style="color:#d14">&#34;3:启用\|5:启用&#34;</span>
</span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"># 英文环境</span>
</span></span><span style="display:flex;"><span>chkconfig --list | grep <span style="color:#d14">&#34;3:on\|5:on&#34;</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="215-检查日志和分析">2.15 检查日志和分析</h3>
<p>系统日志 日志默认存放位置：/var/log/</p>
<p>查看日志配置情况：more /etc/rsyslog.conf</p>
<table>
<thead>
<tr>
<th>日志文件</th>
<th>说明</th>
</tr>
</thead>
<tbody>
<tr>
<td>/var/log/cron</td>
<td>记录了系统定时任务相关的日志</td>
</tr>
<tr>
<td>/var/log/cups</td>
<td>记录打印信息的日志</td>
</tr>
<tr>
<td>/var/log/dmesg</td>
<td>记录了系统在开机时内核自检的信息，也可以使用dmesg命令直接查看内核自检信息</td>
</tr>
<tr>
<td>/var/log/mailog</td>
<td>记录邮件信息</td>
</tr>
<tr>
<td>/var/log/message</td>
<td>记录系统重要信息的日志。这个日志文件中会记录Linux系统的绝大多数重要信息，如果系统出现问题时，首先要检查的就应该是这个日志文件</td>
</tr>
<tr>
<td>/var/log/btmp</td>
<td>记录错误登录日志，这个文件是二进制文件，不能直接vi查看，而要使用lastb命令查看</td>
</tr>
<tr>
<td>/var/log/lastlog</td>
<td>记录系统中所有用户最后一次登录时间的日志，这个文件是二进制文件，不能直接vi，而要使用lastlog命令查看</td>
</tr>
<tr>
<td>/var/log/wtmp</td>
<td>永久记录所有用户的登录、注销信息，同时记录系统的启动、重启、关机事件。同样这个文件也是一个二进制文件，不能直接vi，而需要使用last命令来查看</td>
</tr>
<tr>
<td>/var/log/utmp</td>
<td>记录当前已经登录的用户信息，这个文件会随着用户的登录和注销不断变化，只记录当前登录用户的信息。同样这个文件不能直接vi，而要使用w,who,users等命令来查询</td>
</tr>
<tr>
<td>/var/log/secure</td>
<td>记录验证和授权方面的信息，只要涉及账号和密码的程序都会记录，比如SSH登录，su切换用户，sudo授权，甚至添加用户和修改用户密码都会记录在这个日志文件中</td>
</tr>
</tbody>
</table>
<h3 id="216-其他有用的日志">2.16 其他有用的日志</h3>
<p>apt-get安装日志</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>gedit /var/log/apt/term.log
</span></span><span style="display:flex;"><span>cat /var/log/apt/history.log | more
</span></span><span style="display:flex;"><span>/var/log/dpkg.log
</span></span></code></pre></td></tr></table>
</div>
</div><p>yum安装日志和历史信息</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#998;font-style:italic"># 查看yum安装软件日志的方法</span>
</span></span><span style="display:flex;"><span>/var/log/yum.log
</span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"># 查看yum使用的历史记录的方法</span>
</span></span><span style="display:flex;"><span>yum <span style="color:#0086b3">history</span> info
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="217-检查安装的rpm包或者是否动过手脚">2.17 检查安装的rpm包或者是否动过手脚</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">13
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">14
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">15
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">16
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">[</span>root@docker-test ~<span style="color:#000;font-weight:bold">]</span><span style="color:#998;font-style:italic"># rpm -Va</span>
</span></span><span style="display:flex;"><span>....L....  c /etc/pam.d/fingerprint-auth
</span></span><span style="display:flex;"><span>....L....  c /etc/pam.d/password-auth
</span></span><span style="display:flex;"><span>....L....  c /etc/pam.d/postlogin
</span></span><span style="display:flex;"><span>....L....  c /etc/pam.d/smartcard-auth
</span></span><span style="display:flex;"><span>....L....  c /etc/pam.d/system-auth
</span></span><span style="display:flex;"><span>.M.......  g /var/log/dmesg
</span></span><span style="display:flex;"><span>.M.......  g /var/log/dmesg.old
</span></span><span style="display:flex;"><span>.......T.  c /etc/selinux/targeted/contexts/customizable_types
</span></span><span style="display:flex;"><span>S.5....T.  c /etc/sysconfig/authconfig
</span></span><span style="display:flex;"><span>.M.......  g /etc/pki/ca-trust/extracted/java/cacerts
</span></span><span style="display:flex;"><span>.M.......  g /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
</span></span><span style="display:flex;"><span>.M.......  g /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
</span></span><span style="display:flex;"><span>.M.......  g /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
</span></span><span style="display:flex;"><span>.M.......  g /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
</span></span><span style="display:flex;"><span>.M.......  g /boot/initramfs-3.10.0-957.el7.x86_64.img
</span></span></code></pre></td></tr></table>
</div>
</div><p>参数说明：</p>
<table>
<thead>
<tr>
<th>参数</th>
<th>含义</th>
</tr>
</thead>
<tbody>
<tr>
<td>S</td>
<td>表示文件长度发生了变化</td>
</tr>
<tr>
<td>M</td>
<td>表示文件的访问权限或文件类型发生了变化</td>
</tr>
<tr>
<td>5</td>
<td>表示MD5校验和发生了变化</td>
</tr>
<tr>
<td>D</td>
<td>表示设备节点的属性发生了变化</td>
</tr>
<tr>
<td>L</td>
<td>表示文件的符号链接发生了变化</td>
</tr>
<tr>
<td>U</td>
<td>表示文件/子目录/设备节点的owner发生了变化</td>
</tr>
<tr>
<td>G</td>
<td>表示文件/子目录/设备节点的group发生了变化</td>
</tr>
<tr>
<td>T</td>
<td>表示文件最后一次的修改时间是发生了变化</td>
</tr>
</tbody>
</table>
<h3 id="218-检查命令的完整性">2.18 检查命令的完整性</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>rpm -qf /bin/ls
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="219-检查hosts文件">2.19 检查hosts文件</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>/etc/hosts
</span></span></code></pre></td></tr></table>
</div>
</div><p>清理异常的映射地址</p>
<h3 id="220-检查ssh文件">2.20 检查.ssh文件</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ls -lart ~/.ssh
</span></span><span style="display:flex;"><span>ls -lart <span style="color:#008080">$HOME</span>/.ssh
</span></span></code></pre></td></tr></table>
</div>
</div><p>清理异常的pub key和ssh信任</p>
<h3 id="221-检查防火墙-iptables">2.21 检查防火墙-iptables</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>iptables --list
</span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"># centos</span>
</span></span><span style="display:flex;"><span>cat /etc/sysconfig/iptables-config
</span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"># ubuntu没有具体的规则文件，保存在内存中</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>清理异常的规则</p>
<h3 id="222-检查别名">2.22 检查别名</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#0086b3">alias</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>清理异常的别名</p>
<h2 id="3加固">3、加固</h2>
<p>这里列举下部分比较容易的加固方式</p>
<h3 id="31-条件提前做md5sum值">3.1 条件提前做md5sum值</h3>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>find / -user root -perm -2000 -print | xargs md5sum &gt; 1.log
</span></span><span style="display:flex;"><span>find / -user root -perm -4000 -print | xargs md5sum &gt; 2.log
</span></span></code></pre></td></tr></table>
</div>
</div><p>提前把关键文件的md5值搜集，后续可以比对</p>
<h3 id="32-增加history的记录条数和详细信息">3.2 增加history的记录条数和详细信息</h3>
<p>保存1W条history</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#008080">HISTFILESIZE</span><span style="color:#000;font-weight:bold">=</span><span style="color:#099">2000</span> <span style="color:#998;font-style:italic">#设置保存历史命令的文件大小</span>
</span></span><span style="display:flex;"><span><span style="color:#008080">HISTSIZE</span><span style="color:#000;font-weight:bold">=</span><span style="color:#099">10000</span>    <span style="color:#998;font-style:italic">#保存历史命令条数</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>history记录详细信息</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#998;font-style:italic">###### 加固历史命令显示 #########</span>
</span></span><span style="display:flex;"><span><span style="color:#008080">USER_IP</span><span style="color:#000;font-weight:bold">=</span><span style="color:#d14">`</span>who -u am i 2&gt;/dev/null | awk <span style="color:#d14">&#39;{print $NF}&#39;</span> | sed -e <span style="color:#d14">&#39;s/[()]//g&#39;</span><span style="color:#d14">`</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">if</span> <span style="color:#000;font-weight:bold">[</span> <span style="color:#d14">&#34;</span><span style="color:#008080">$USER_IP</span><span style="color:#d14">&#34;</span> <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">&#34;&#34;</span> <span style="color:#000;font-weight:bold">]</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">then</span>
</span></span><span style="display:flex;"><span><span style="color:#008080">USER_IP</span><span style="color:#000;font-weight:bold">=</span><span style="color:#d14">`</span>hostname<span style="color:#d14">`</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">fi</span>
</span></span><span style="display:flex;"><span><span style="color:#0086b3">export</span> <span style="color:#008080">HISTTIMEFORMAT</span><span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#34;%F %T </span><span style="color:#008080">$USER_IP</span><span style="color:#d14"> `whoami` &#34;</span>
</span></span><span style="display:flex;"><span><span style="color:#0086b3">shopt</span> -s histappend
</span></span><span style="display:flex;"><span><span style="color:#0086b3">export</span> <span style="color:#008080">PROMPT_COMMAND</span><span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#34;history -a&#34;</span>
</span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic">###### 加固历史命令显示 #########</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h2 id="4挖矿病毒的参考">4、挖矿病毒的参考</h2>
<p>因为我发觉的2次挖矿病毒跟下面的部分表相很像但是又不完全一样，可能是变种或者改进了<br>
kinsing: <a href="https://blog.trendmicro.com.tw/?p=66511">https://blog.trendmicro.com.tw/?p=66511</a> <br>
kinsing: <a href="https://blog.csdn.net/cfm_gavin/article/details/103803448">https://blog.csdn.net/cfm_gavin/article/details/103803448</a><br>
sh: <a href="https://notes.daiyuhe.com/clear-linux-mining-virus/">https://notes.daiyuhe.com/clear-linux-mining-virus/</a><br>
sh: <a href="https://blog.csdn.net/jabyn/article/details/111239735">https://blog.csdn.net/jabyn/article/details/111239735</a><br>
xr: <a href="https://www.freebuf.com/column/240100.html">https://www.freebuf.com/column/240100.html</a></p>

        </div>

        
<div class="post-archive">
    <ul class="post-copyright">
        <li><strong>原文作者：</strong><a rel="author" href="https://anttu.gitee.io/">Anttu</a></li>
        <li style="word-break:break-all"><strong>原文链接：</strong><a href="https://anttu.gitee.io/post/2021-01-28-miner_virus_2/">https://anttu.gitee.io/post/2021-01-28-miner_virus_2/</a></li>
        <li><strong>版权声明：</strong>本作品采用<a rel="license" href="https://creativecommons.org/licenses/by-nc-nd/4.0/">知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议</a>进行许可，非商业转载请注明出处（作者，原文链接），商业转载请联系作者获得授权。</li>
    </ul>
</div>
<br/>



        

<div class="post-archive">
    <h2>See Also</h2>
    <ul class="listing">
        
        <li><a href="/post/2020-08-19-mine_virus/">分析挖矿病毒</a></li>
        
        <li><a href="/post/2020-09-17-xwindows_x11_xquartz/">Mac下远程运行Linux的GUI程序</a></li>
        
        <li><a href="/post/2020-09-10-asciinema_local_test/">linux下录屏工具本地化测试</a></li>
        
        <li><a href="/post/2019-12-21-mysql_expansion/">mysql集群在线无损扩容</a></li>
        
        <li><a href="/post/2019-04-21-linux_knoledge/">linux的一些细节点-不定期补充</a></li>
        
    </ul>
</div>


        <div class="post-meta meta-tags">
            
            <ul class="clearfix">
                
                <li><a href='/tags/mine' target="_blank">mine</a></li>
                
                <li><a href='/tags/virus' target="_blank">virus</a></li>
                
                <li><a href='/tags/linux' target="_blank">linux</a></li>
                
                <li><a href='/tags/check' target="_blank">check</a></li>
                
            </ul>
            
        </div>
    </article>
    
    

    
    
    <div class="post bg-white">
      <script src="https://utteranc.es/client.js"
            repo= "anTtutu/anTtutu.github.io"
            issue-term="pathname"
            theme="github-light"
            crossorigin="anonymous"
            async>
      </script>
    </div>
    
    
    
</div>

                    <footer id="footer">
    <div>
        &copy; 2025 <a href="https://anttu.gitee.io/">Anttu&#39;s Blog By Anttu</a>
        
    </div>
    <br />
    <div>
        <div class="github-badge">
            <a href="https://gohugo.io/" target="_black" rel="nofollow"><span class="badge-subject">Powered by</span><span class="badge-value bg-blue">Hugo</span></a>
        </div>
        
        <div class="github-badge">
            <a href="https://github.com/flysnow-org/maupassant-hugo" target="_black"><span class="badge-subject">Theme</span><span class="badge-value bg-yellowgreen">Maupassant</span></a>
        </div>
    </div>
</footer>


    
    
    <script type="text/javascript">
        window.MathJax = {
            tex2jax: {
                inlineMath: [['$', '$']],
                processEscapes: true
                }
            };
    </script>
    <script src='//cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-MML-AM_CHTML' async></script>

<a id="rocket" href="#top"></a>
<script type="text/javascript" src='/js/totop.js?v=0.0.0' async=""></script>
<style type="text/css">
div.highlight {
    position: relative;
    margin: 1em 0px;
}

.copy-code {
    display: none;
    position: absolute;
    top: 4px;
    right: 4px;
    color: rgba(255, 255, 255, 0.8);
    background: rgba(78, 78, 78, 0.8);
    border-radius: var(--radius);
    padding: 0 5px;
    font: inherit;
    user-select: none;
    cursor: pointer;
    border: 0;
    --radius: 8px;
}

div.highlight:hover .copy-code,pre:hover .copy-code {
    display: block;
}

</style>
<script>
    document.querySelectorAll('pre > code').forEach((codeblock) => {
        const container = codeblock.parentNode.parentNode;

        const copybutton = document.createElement('button');
        copybutton.classList.add('copy-code');
        copybutton.innerHTML = 'copy';

        function copyingDone() {
            copybutton.innerHTML = 'copied!';
            setTimeout(() => {
                copybutton.innerHTML = 'copy';
            }, 2000);
        }

        copybutton.addEventListener('click', (cb) => {
            if ('clipboard' in navigator) {
                navigator.clipboard.writeText(codeblock.textContent);
                copyingDone();
                return;
            }

            const range = document.createRange();
            range.selectNodeContents(codeblock);
            const selection = window.getSelection();
            selection.removeAllRanges();
            selection.addRange(range);
            try {
                document.execCommand('copy');
                copyingDone();
            } catch (e) { };
            selection.removeRange(range);
        });

        if (container.classList.contains("highlight")) {
            container.appendChild(copybutton);
        } else if (container.parentNode.firstChild == container) {
            
        } else if (codeblock.parentNode.parentNode.parentNode.parentNode.parentNode.nodeName == "TABLE") {
            
            codeblock.parentNode.parentNode.parentNode.parentNode.parentNode.appendChild(copybutton);
        } else {
            
            codeblock.parentNode.appendChild(copybutton);
        }
    });
</script>


    <script type="text/javascript" src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" async></script>




    <script src='/js/asciinema-player.js'></script>

                </div>

                <div id="secondary">
    <section class="widget">
        <form id="search" action='https://anttu.gitee.io/search' method="get" accept-charset="utf-8" target="_blank" _lpchecked="1">
      
      <input type="text" name="q" maxlength="20" placeholder="Search">
      <input type="hidden" name="sitesearch" value="https://anttu.gitee.io/">
      <button type="submit" class="submit icon-search"></button>
</form>
    </section>
    
    <section class="widget">
        <h3 class="widget-title">最近文章</h3>
<ul class="widget-list">
    
    <li>
        <a href="https://anttu.gitee.io/post/2025-02-13-mvnd/" title="mvnd结合idea使用" target="_blank">mvnd结合idea使用</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2024-04-15-postgresql/" title="postgresql数据库常用记录" target="_blank">postgresql数据库常用记录</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2023-06-16-miner_virus_5/" title="挖矿病毒5-私有云机房挖矿病毒定位" target="_blank">挖矿病毒5-私有云机房挖矿病毒定位</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-12-26-covid-19/" title="羊了" target="_blank">羊了</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-12-19-git_delete_history/" title="git删除历史提交记录" target="_blank">git删除历史提交记录</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-28-python_muilt_version/" title="python多版本管理工具" target="_blank">python多版本管理工具</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-22-springboot_start_failed/" title="springboot常见兼容性错误" target="_blank">springboot常见兼容性错误</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-14-docker_port/" title="docker修改运行的容器端口" target="_blank">docker修改运行的容器端口</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-10-go_muilt_version/" title="go多版本管理工具" target="_blank">go多版本管理工具</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-10-27-jenkins_reset/" title="jenkins的admin密码忘记了如何重置" target="_blank">jenkins的admin密码忘记了如何重置</a>
    </li>
    
</ul>
    </section>

    

    <section class="widget">
        <h3 class="widget-title"><a href='/categories/'>分类</a></h3>
<ul class="widget-list">
    
    <li><a href="https://anttu.gitee.io/categories/about/">about (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/android/">android (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/app/">app (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/aria2/">aria2 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/arm64/">arm64 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/arthas/">arthas (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/awr/">awr (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/backend_execute/">backend_execute (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/backup/">backup (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/blog/">blog (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/bug/">bug (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/build/">build (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cache/">cache (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/caffeine/">caffeine (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/captcha/">captcha (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/check/">check (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/clean/">clean (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cli/">cli (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cluster/">cluster (4)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/covid-19/">covid-19 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cve/">cve (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cygwin/">cygwin (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dataguard/">dataguard (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/db/">db (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/deepfacelab/">deepfacelab (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/devops/">devops (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/docker/">docker (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dockerfile/">dockerfile (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dos/">dos (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dump/">dump (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/eclipse/">eclipse (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/explain/">explain (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/faker/">faker (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/gcc/">gcc (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/git/">git (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/gitment/">gitment (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/gitpages/">gitpages (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/go/">go (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/h2/">h2 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/h5/">h5 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/ha/">ha (4)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/http/">http (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/hugo/">hugo (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/id/">id (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/idea/">idea (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/java/">java (24)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jekyll/">jekyll (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jenkins/">jenkins (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jrebel/">jrebel (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/js/">js (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jsr/">jsr (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jvm/">jvm (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/kafka/">kafka (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/kali/">kali (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/kenlm/">kenlm (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/linux/">linux (22)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/log/">log (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/log4j/">log4j (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/lombok/">lombok (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mac/">mac (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/matplotlib/">matplotlib (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/maven/">maven (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mine/">mine (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mongodb/">mongodb (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mvnd/">mvnd (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mysql/">mysql (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/nginx/">nginx (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/nmap/">nmap (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/oom/">oom (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/oracle/">oracle (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/orangePi/">orangePi (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/package/">package (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/pandas/">pandas (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/pg/">pg (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/port/">port (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/postgresql/">postgresql (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/python/">python (8)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/rec/">rec (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/redis/">redis (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/regexp/">regexp (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/safe/">safe (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/sdk/">sdk (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/shell/">shell (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/split/">split (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/springboot/">springboot (4)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/springcloud/">springcloud (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/sqlmap/">sqlmap (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/ssd/">ssd (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/tcp/">tcp (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/termux/">termux (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/test/">test (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/testing/">testing (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/union_id/">union_id (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/vcs/">vcs (7)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/virus/">virus (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/vxvm/">vxvm (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/win10/">win10 (6)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/xrebel/">xrebel (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/ynote/">ynote (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/zk/">zk (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/zookeeper/">zookeeper (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/%E5%89%8D%E7%AB%AF/">前端 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/%E5%AE%B9%E7%81%BE/">容灾 (1)</a></li>
    
</ul>
    </section>

    <section class="widget">
        <h3 class="widget-title"><a href='/tags/'>标签</a></h3>
<div class="tagcloud">
    
    <a href="https://anttu.gitee.io/tags/about/">about</a>
    
    <a href="https://anttu.gitee.io/tags/android/">android</a>
    
    <a href="https://anttu.gitee.io/tags/app/">app</a>
    
    <a href="https://anttu.gitee.io/tags/aria2/">aria2</a>
    
    <a href="https://anttu.gitee.io/tags/arm64/">arm64</a>
    
    <a href="https://anttu.gitee.io/tags/awr/">awr</a>
    
    <a href="https://anttu.gitee.io/tags/backup/">backup</a>
    
    <a href="https://anttu.gitee.io/tags/blog/">blog</a>
    
    <a href="https://anttu.gitee.io/tags/bug/">bug</a>
    
    <a href="https://anttu.gitee.io/tags/build/">build</a>
    
    <a href="https://anttu.gitee.io/tags/captcha/">captcha</a>
    
    <a href="https://anttu.gitee.io/tags/check/">check</a>
    
    <a href="https://anttu.gitee.io/tags/cluster/">cluster</a>
    
    <a href="https://anttu.gitee.io/tags/cygwin/">cygwin</a>
    
    <a href="https://anttu.gitee.io/tags/dataguard/">dataguard</a>
    
    <a href="https://anttu.gitee.io/tags/deepfacelab/">deepfacelab</a>
    
    <a href="https://anttu.gitee.io/tags/dos/">dos</a>
    
    <a href="https://anttu.gitee.io/tags/eclipse/">eclipse</a>
    
    <a href="https://anttu.gitee.io/tags/explain/">explain</a>
    
    <a href="https://anttu.gitee.io/tags/gcc/">gcc</a>
    
    <a href="https://anttu.gitee.io/tags/gitment/">gitment</a>
    
    <a href="https://anttu.gitee.io/tags/gitpages/">gitpages</a>
    
    <a href="https://anttu.gitee.io/tags/go/">go</a>
    
    <a href="https://anttu.gitee.io/tags/h2/">h2</a>
    
    <a href="https://anttu.gitee.io/tags/h5/">h5</a>
    
    <a href="https://anttu.gitee.io/tags/ha/">ha</a>
    
    <a href="https://anttu.gitee.io/tags/http/">http</a>
    
    <a href="https://anttu.gitee.io/tags/hugo/">hugo</a>
    
    <a href="https://anttu.gitee.io/tags/java/">java</a>
    
    <a href="https://anttu.gitee.io/tags/jekyll/">jekyll</a>
    
    <a href="https://anttu.gitee.io/tags/jrebel/">jrebel</a>
    
    <a href="https://anttu.gitee.io/tags/js/">js</a>
    
    <a href="https://anttu.gitee.io/tags/jsr/">jsr</a>
    
    <a href="https://anttu.gitee.io/tags/kafka/">kafka</a>
    
    <a href="https://anttu.gitee.io/tags/kali/">kali</a>
    
    <a href="https://anttu.gitee.io/tags/kenlm/">kenlm</a>
    
    <a href="https://anttu.gitee.io/tags/linux/">linux</a>
    
    <a href="https://anttu.gitee.io/tags/log4j/">log4j</a>
    
    <a href="https://anttu.gitee.io/tags/mac/">mac</a>
    
    <a href="https://anttu.gitee.io/tags/mine/">mine</a>
    
    <a href="https://anttu.gitee.io/tags/mongodb/">mongodb</a>
    
    <a href="https://anttu.gitee.io/tags/mysql/">mysql</a>
    
    <a href="https://anttu.gitee.io/tags/nginx/">nginx</a>
    
    <a href="https://anttu.gitee.io/tags/oom/">oom</a>
    
    <a href="https://anttu.gitee.io/tags/oracle/">oracle</a>
    
    <a href="https://anttu.gitee.io/tags/orangePi/">orangePi</a>
    
    <a href="https://anttu.gitee.io/tags/python/">python</a>
    
    <a href="https://anttu.gitee.io/tags/rec/">rec</a>
    
    <a href="https://anttu.gitee.io/tags/redis/">redis</a>
    
    <a href="https://anttu.gitee.io/tags/safe/">safe</a>
    
    <a href="https://anttu.gitee.io/tags/shell/">shell</a>
    
    <a href="https://anttu.gitee.io/tags/springboot/">springboot</a>
    
    <a href="https://anttu.gitee.io/tags/sqlmap/">sqlmap</a>
    
    <a href="https://anttu.gitee.io/tags/ssd/">ssd</a>
    
    <a href="https://anttu.gitee.io/tags/tcp/">tcp</a>
    
    <a href="https://anttu.gitee.io/tags/termux/">termux</a>
    
    <a href="https://anttu.gitee.io/tags/union_id/">union_id</a>
    
    <a href="https://anttu.gitee.io/tags/vcs/">vcs</a>
    
    <a href="https://anttu.gitee.io/tags/virus/">virus</a>
    
    <a href="https://anttu.gitee.io/tags/vxvm/">vxvm</a>
    
    <a href="https://anttu.gitee.io/tags/win10/">win10</a>
    
    <a href="https://anttu.gitee.io/tags/xrebel/">xrebel</a>
    
    <a href="https://anttu.gitee.io/tags/ynote/">ynote</a>
    
    <a href="https://anttu.gitee.io/tags/zk/">zk</a>
    
    <a href="https://anttu.gitee.io/tags/zookeeper/">zookeeper</a>
    
    <a href="https://anttu.gitee.io/tags/%E5%AE%B9%E7%81%BE/">容灾</a>
    
</div>
    </section>

    

    <section class="widget">
        <h3 class="widget-title">其它</h3>
        <ul class="widget-list">
            <li><a href="https://anttu.gitee.io/index.xml">文章 RSS</a></li>
        </ul>
    </section>
</div>
            </div>
        </div>
    </div>
</body>

</html>